All logs from different Fabric devices are normalized and available for search in Log View under the Fabric section.
- In FortiAnalyzer 6.4.0, SIEM features are available with all VM models and most hardware models (FortiAnalyzer 400E and above).
- When one or more devices are added or promoted to a Fabric ADOM and logs are being sent to FortiAnalyzer, a SIEM database (siemdb) is automatically created for the ADOM. All logs are inserted into the siemdb and displayed in Log View > Fabric > All.
- SIEM databases are created based on ADOMs. If there are multiple Fabric ADOMs with logs, the same number of SIEM databases are automatically created.
- Go to System Settings > All ADOMs and create a Fabric ADOM. For example, Fabric_ADOM1.
- Configure a FortiGate to send logs to FortiAnalyzer, and promote the FortiGate device to the Fabric ADOM.
- From the CLI, confirm the siemdb has been created properly for the Fabric_ADOM1 ADOM.
FAZVM64 # dziagnose test application siemdbd 6
ADOM Fabric_ADOM1 : part-days=1 rows=33 bytes=21.4KB time=[2020-04-27 15:40:17, 2020-04-27 15:40:17] duration=1s
*** Total tracked ADOMs: 1, Time to refresh: 27(sec)
- Go to Log View > Fabric > All. Normalized logs from FortiGate are automatically displayed in the siemdb format.
When other types of devices such as FortiMail and FortiWeb are added to the Fabric ADOM, their logs are also displayed.
Click Column Settings to change the columns that are displayed.
Double click on an individual log to view its details. Details are displayed according to groups.
SIEM log display can be filtered based on SIEM fields.